Faced with a flurry of cyberattacks, the European Union is asking its critical sectors to harden their defenses.
Early on Friday, negotiators of a new EU cybersecurity directive struck a deal that will force sensitive industries such as banking, energy, telecoms and transport to better protect their networks and invest in cybersecurity, in an effort to stop hackers from disrupting society’s critical functions. Public administrations are also affected by the directive.
The new law is a cornerstone of a wider EU strategy to respond to the multiple waves of cyberattacks that accompanied the coronavirus pandemic, renewed geopolitical tensions between the West, Russia and China, and more recently the war in Ukraine. Major incidents included cybercriminal “ransomware” attacks like the ones on U.S. oil pipeline operator Colonial and Ireland’s health care system, to cyber espionage campaigns on agencies and ministries across the EU.
Under the new directive, critical companies and organizations will have to set up and audit cybersecurity response plans, flag cybersecurity incidents to authorities within 24 hours and use state-of-the-art cybersecurity technologies to prevent hacks — or face sizeable fines.
Representatives of the European Commission, Parliament and EU Council agreed on the details of the Network and Information Security Directive (NIS2 Directive) during late-night talks in Brussels.
The law “is going to help over a hundred thousand entities to tighten their grip on security and make Europe a safe place to live and work,” said Bart Groothuis, the Dutch Liberal MEP who led the negotiations on behalf of the European Parliament. “If we are being attacked on an industrial scale, we need to respond on an industrial scale.”
The law is a revamp of the EU’s first-ever cybersecurity legislation, which was adopted in 2016 and was a first step in giving EU authorities oversight and control over cybersecurity. Member countries had been touchy about the issue for a long time, as it is closely linked to national security, but the flood of disruptive cyberattacks in past years forced EU governments to work more closely at the European level.
Strengthening Europe’s cybersecurity “cuts to the heart of many other policies, from the development of AI, semiconductors, and the defence sector, to our ability to keep the lights on and hospitals open,” Eva Maydell, a center-right European Parliament member from Bulgaria who worked closely on the law, said in a text message.
The legislation imposes a long list of requirements on companies, organizations and public services, including patching software vulnerabilities, preparing risk management measures, sharing information and informing authorities about incidents within 24 hours as well as providing a full report within three days.
Organizations would face fines of 2 percent of turnover for operators of essential services and 1.4 percent for important service providers, negotiators decided. Those figures roughly correspond to what ransomware groups generally demand in ransom payments when they hack major organizations, they said.
“The trade-off becomes: Do I pay the ransom, pay the fine, or rather invest in security prior to getting hacked,” Groothuis, the lead MEP, said.
Negotiators also agreed to include key public administrations within the scope of the law, meaning many government services will have to comply with the requirements too. National governments will also have to come up with policies to help cyber authorities launch preventive operations to prevent hacks and attacks, rather than simply responding to crises.
“This agreement is not a silver bullet, but the scale of this challenge means we must build an arsenal to protect our digital networks against harm and foul play,” said Maydell, the Bulgarian MEP.
The law will need formal approval from EU member countries and the European Parliament. Then, it’s up to national governments to implement the rules.
This article is part of POLITICO Pro
The one-stop-shop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive, breaking scoops and insights
Customized policy intelligence platform
A high-level public affairs network